Pilot|RB

View Original

New HIPAA Final Rule Protects Reproductive PHI

Communications

HHS has issued a new final rule (45 CFR Parts 160 and 164) which specifically prohibits the disclosure of PHI related to lawful reproductive health care, when the disclosure is  for criminal or civil investigation or individual identification purposes. Following the momentous Supreme Court ruling in Dobbs and subsequent state laws regulating abortion, HHS has stepped in to add a layer of protection for employees and employers alike.


The new rule applies to requests for PHI, when the health plan finds:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.

    • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.

  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.

    • For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.

  • The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.


The Final Rule continues to permit health plans to use or disclose PHI for purposes otherwise permitted under the Privacy Rule. 


Employer Action: All employers should be aware of the updated restrictions on this type of PHI. Fully insured health plans will generally rely on their carriers for compliance with these new rules.  Self-insured employers should coordinate with their benefits consultants and ASO/TPA providers to ensure substantive compliance and updated HIPAA notices are in place. Additionally, HHS has issued a model attestation that entities (mainly health plans and health service providers) should require to be completed for any PHI request.